Trust at Pluralsight

All products on Pluralsight’s platform follow the same secure practices to keep customer data safe.

• Network security: Pluralsight adheres to industry best practices of segmenting networks logically with firewalls and access control lists (ACLs). Network access is restricted to authorized individuals and network availability is monitored by the Operations and IT teams. Remote access to the production environment is limited to authorized technology teams. VPN entry points provide controlled access to environments using multi-factor authentication.
  
• Application security: Pluralsight leverages application scanning technologies to detect common issues within our custom code. Common methodologies and practices (such as OWASP top 10 and industry secure coding practices) are followed.
  Open source code dependencies are tracked and managed by development teams.  All code is checked into a version-controlled repository. Code changes are subject to peer review and continuous integration testing.
  
• Web Application Firewall (WAF): Pluralsight has partnered with CloudFlare to implement Web Application Firewall capabilities into the Pluralsight platform. These capabilities (and others) are managed by the product security teams and incorporate best practices for mitigations against the main types of attacks seen against online platforms such as: DDoS protection, brute force attacks, credential stuffing, etc. In addition to network security controls applied at the enterprise level, advanced mitigation techniques are employed to protect against malicious attempts and to block bad actors from impacting Pluralsight systems.
  
• Perimeter protections: The Pluralsight platform uses integrated access controls and security groups to limit the exposure of internal services to the world wide web. Load balancing and proxies are also used to frontend any external services to provide a single exposure point for securing, monitoring, and alerting. Intrusion detection systems (IDS) and/or technologies are implemented to detect ingress and egress security issues.
• Server hardening: Pluralsight promotes internal server hardening guidelines to ensure that new infrastructure is appropriately safeguarded by disabling unnecessary ports, changing default passwords, and applying custom controls to each server before being put into production.
  
• Identity: Pluralsight offers Multi-Factor Authentication (MFA) to confirm customer identity by using a combination of different factors, rather than password alone. With multi-factor authentication, customers have the option of using an authenticator app on their smartphone to generate a code. This code, used in conjunction with user email address and password, will guard accounts and be used to log in to the Pluralsight platform. Pluralsight also offers Single Sign On (SSO) for Enterprise Customers.
  

• Availability: An important feature of Pluralsight is the ability to securely access the learning platform at any time, from any device, and from any location. Our platform is designed to be highly available. Clustered elastic load balancers (ELBs) and high availability proxies (HAProxy) are utilized to ensure our learning services are always accessible. 
  
• Data storage: Pluralsight is hosted in Amazon Web Services (AWS) and is therefore protected by the same level of logical and physical security controls that AWS has for all clients. AWS maintains their own documentation and certifications for security and regulatory compliance. Data is replicated across multiple availability zones and regions.
• Encryption / Cryptology: 
  Data in transit
  All data transferred to destinations outside of Pluralsight environments via the Pluralsight website are encrypted via TLS 1.2 (or higher) using at least 2048 bit RSA.
  Data at rest
  All Pluralsight provided devices are encrypted and the recovery key centrally managed and stored by the IT team.
  
• Secure software development practices: Pluralsight promotes an effective and secure software development lifecycle (SDLC) that includes, among other requirements, code reviews for feature enhancements, bug fixes, emergency changes, and incident management. The agile nature of this process allows teams to follow their own release cycles and provide continuous improvement without creating a bottleneck.

  Precautions are taken to identify any potential vulnerabilities that could lead to an incident by having an impact on the confidentiality, integrity and/or the availability of our service. Some of those precautions include:

  - Vulnerability scanning
  - Annual Security Awareness Training
  - Annual Secure Code Training
  - Penetration Tests
  - Bug Bounties
  - Code Scanning (DAST/SAST)
• Disaster recovery/business continuity: Pluralsight’s Disaster Recovery Plan (DRP) is validated annually to ensure all customer information can be recovered quickly, accurately, and efficiently. All customer data is backed up daily via snap-shots housed in a separate cloud region.
  Additionally, Pluralsight’s Business Continuity Plan (BCP) is designed to provide immediate response and subsequent recovery from any unplanned business interruption including any business interruption which results in the loss of a critical service (power, computer services, telecommunications, etc.), loss of access to the facility (asbestos contamination, chemical spill, etc.) or loss of the facility (fire, natural disaster, etc.)